CVE-2020-7066

information disclosure in function get_headers

Publication Date	2020-04-01
Severity	Low
Type	Information Disclosure
Affected PHP Versions	5.6.0 - 5.6.40 7.0.0 - 7.0.33 7.1.3 - 7.1.33 7.2.0 - 7.2.8 7.3.0 - 7.3.15 7.4.0 - 7.4.3
Fixed Product Versions	ZendPHP 5.6 ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendServer 2019.0.5

CVE Details

In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with a user-supplied URL, if the URL contains a zero (\u0000) character, the URL will be silently truncated at its first occurence. This may cause some software to make incorrect assumptions about the target of the get_headers(), which could lead to sending information to the wrong server or path on a server.

Recommendations

Upgrade to 7.2.9 or above, 7.3.16 or above, or 7.4.4 or above.

< View all CVEs